CS530Authorization - PolicyBill Chenghttp://merlot.usc.edu/cs530-s10 CSCI 530, Spring 2010 Copyright © William C. Cheng T1 CSCI 530, Spring 2010 Copyright © William C. Cheng T2Authorizationdetermine whether to allow an operationFinal goal of system securitypolicy - rules followed by the systemDepends uponpossibly authenticationother characteristics - e.g., time of day, network threatcondition, system loadauthenticationaudit - so that you can change policy to keep the badguys outpolicy can be based on identity CSCI 530, Spring 2010 Copyright © William C. Cheng T3The Role of Policy in Security ArchitecturePolicy - defines what is allowed and how the system andsecurity mechanisms should act(misconfiguration - policy does not reflect intent)Enforced ByMechanism - provides protectioninterprets/evaluates policy(firewalls, ID, access control, confidentiality, integrity)Implemented AsSoftware - which must be implemented correctly andaccording to sound software engineering principles CSCI 530, Spring 2010 Copyright © William C. Cheng T4Policy: Review - The Access Matrixalso called Access Control Matrixcapability list (like a key ring)Policy represented by an Access Matrixone row per objectone column per subject/principletabulates permissionsbut implemented by:Access Control List (ACL)recall that it’s harder to determine who has accesswith ACL CSCI 530, Spring 2010 Copyright © William C. Cheng T5Policy models: Bell-LaPadulabased on Access Matrix - owner of an object can determinewho has accesswrite UP, read DOWNDiscretionary policyTop Secret, Secret, Confidential, UnclassifiedMandatory policy* property: S can write O if and only if Level S ≤ Level Ocreate categories so that some members in a class cannotsee some documents(more models in Bishop’s book, e.g., integrity policy)owner of an object does not get to decide who has accessit’s possible that I can create a file that I cannot readthis approach tries to minimize the speed of secret leaksadministrationbut no need to list all objects to which users has accessThree phasessession managementaccess checkingin UNIX, an object can belong to only a single group,inconvenient to create dynamic groupsIn a way, similar to groups in UNIX, but more generalobject policies fairly staticTypical policiesuser’s roles can changecan implement separation of rolesMaps to typical organizational policies CSCI 530, Spring 2010 Copyright © William C. Cheng T6Role Based Access ControlCSCI 530, Spring 2010 Copyright © William C. Cheng T7Security is More Than Mix of Point Solutionsfirewalls and Virtual Private NetworksToday’s security tools work with no coordinated policyauthentication and Public Key Infrastructureintrusion detection and limited responseintrusion response affected at firewalls, VPN’s andapplicationsWe need better coordinationnot just who can access what, but policy says what kindof encryption to use, when to notify ID systemspolicies originate from multiple sourcesTools should implement coordinated policiespolicies should adapt to dynamic policy changes triggeredby activities like September 11th responsepolicies should adapt to dynamic threat conditionsread from existing applications or extended ACLsDiscretionary policies associated with objectsbroadening or narrowing allowed access - can ignorediscretionary policyLocal system policies merged with object policiesPolicies imported from policy/state issuerse.g., one module for reading .ssh files and one modulefor reading .htaccess filese.g., deny all web accesses from certain domainsexample of policy issuers is virus checker from NetworkAssociates or Symantecexample of state issuers is HIPAA - healthcare relatedpolicy for healthcare providers(cont...) CSCI 530, Spring 2010 Copyright © William C. Cheng T8Policies Originate from Multiple Sourcesthese policies attach to user/process credentials andapply to access by only specific processesPolicies embedded in credentialscredential issuers (e.g. authentication and authorizationservers) evaluate policies to decide whichcredentials to issue.Policies evaluated remotelye.g., extra audit required from outsidersthis also allows chainingPolicies imported from policy/state issuers (cont...)ID system issues state credentialsthese credentials may embed policy as well CSCI 530, Spring 2010 Copyright © William C. Cheng T9Policies Originate from Multiple Sources (Cont...)HIPAA, other legislationPrivacy statementsDiscretionary policiesMandatory policies (e.g. classification)Business policiese.g., access to student recordsneed to know how it is actually enforced CSCI 530, Spring 2010 Copyright © William C. Cheng T10Policies Origins Summary CSCI 530, Spring 2010 Copyright © William C. Cheng T11GAA-API: Integration through Authorizationnot really new - this is a reference monitor (as in TOPS-20and MULTICS)separate policy from mechanismFocus integration efforts on authorization and themanagement of policies used in the authorization decisionapplications shouldn’t care about authentication or identityauthorization may be easier to integrate with applicationse.g., key management, authentication, encryption, audithide the calls to individual security servicesGAA: Generic Authorization and Access-controldynamic policycan perform adaptive auditwhen ID detects something, start collecting additionalinformation or start requiring authenticationeven for internal users CSCI 530, Spring 2010 Copyright © William C. Cheng T12GAA-APIneed information at the application levelEx: SSL is in the lower layer, it cannot deal with usercertificatesSometimes it is not possible to plug in security at low levelreturn value is either yes, no, or maybeGAA-API: application just asks if something is allowedmaybe means you need additional things, e.g., networksource address must come from a certain domain (thisinformation, again, may not be available at lower layers)why not an identify?Subject/principle is represented by a Security Context (SC)because sometimes it’s not necessary, e.g., to accessthis, pay $5 (no authentication)CSCI 530, Spring 2010 Copyright © William C. Cheng T13GAA-API (Cont...)the language used by GAAEACL (extended ACL)extended to include information such as:time of daynetwork threat conditionsystem load CSCI 530, Spring 2010 Copyright © William C. Cheng T14Authorization and Integrated Security ServicesIntegration of dynamic securityservices creates feedback pathenabling effective response
View Full Document
Unlocking...